Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

See more

How to set up IPsec VPN Connection with Cloudflare Magic WAN on Firewalla MSP

Avatar
Firewalla CM
  • Updated
Follow

This article is in draft/beta

  • It is based on community feedback and configurations shared with us. While the setup has been reported to work, it has not been fully tested or officially validated by Firewalla. Your network environment may differ, so results may vary.  
  • If you have any questions, please email us at help@firewalla.com

This is a brief introduction to a Site-to-Site IPsec VPN connection between Firewalla Gold Box and Cloudflare Magic WAN using Firewalla MSP.

To follow this guide, ensure that you have:

  • Cloudflare Magic WAN with an IPsec tunnel set up.
  • Firewalla MSP version 2.8.0 or later
  • Firewalla Gold series box on your Firewalla MSP instance

In this guide, we use a Firewalla Gold as one site, and Cloudflare Magic WAN as the peer site. Both sites have public (WAN) IP addresses. Subnets on both sites can access each other, and devices on the Firewalla Gold can access the internet via the server site.

The following settings are assumed by this example:

  Firewalla Gold (Client) Cloudflare Magic WAN (Server)
WAN IP 203.0.113.123 162.159.1.123 (Cloudflare AnyCast IP)
LAN Subnets

192.168.213.0/24

10.180.217.0/24

 10.69.42.10/31

 

STEP 1: Cloudflare Magic WAN Server Configuration

In this guide, we assume you already have an existing Cloudflare Magic WAN with an IPsec tunnel set up. If you need help setting up VPN connections on Cloudflare, please consult their user guide: https://developers.cloudflare.com/magic-wan/ 

Please note that in this guide, we follow the manual configuration based on strongSwan. https://developers.cloudflare.com/magic-wan/configuration/manually/third-party/strongswan/ 

When you add an IPsec tunnel configuration on Cloudflare, it should look something like this.

  • Customer endpoint: Firewalla Gold WAN IP
  • Cloudflare endpoint: Cloudflare Anycast IP (Provided by Cloudflare when the service is enabled)
  • Tunnel health checks are optional and may not work correctly.

How to configure Cloudflare tunnel endpoints: https://developers.cloudflare.com/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints/

 

You may also need to configure a route on Cloudflare to route return traffic back to the tunnel, using your Firewalla Gold LAN Subnet.

How to configure Cloudflare routes: https://developers.cloudflare.com/magic-wan/configuration/manually/how-to/configure-routes/ 

 

STEP 2: MSP VPN Client Configuration

In Firewalla MSP, go to your Firewalla Gold’s box view, then create a new MSP VPN Client.

Go to VPN Client (left navigation panel) > Create VPN Connection > select IPsec > Next. The MSP UI will look like this:

Enter a name for the VPN Connection. For the Configuration file, follow the template below. Please note the sections in <brackets> and colored in red that should be modified for your VPN setup.

conn cloudflare-ipsec
 auto=start
 type=tunnel
 keyexchange=ikev2
 fragmentation=yes

 leftid=<WAN IP of Firewalla>
 leftsubnet=<LAN Subnet CIDR of Firewalla>(separate with commas)

 right=<WAN IP of Cloudflare Server endpoint>
 rightid=<WAN IP of Cloudflare Server endpoint>
 rightsubnet=<LAN Subnet CIDR of Cloudflare>(separate with commas)
 rightauth=psk

 ike=aes256-sha256-modp2048!
 esp=aes256-sha256-modp2048!
 replay_window=0
 

Use 0.0.0.0/0 for the rightsubnet to access the Internet using any device on the VPN connection. In this example, we change the following lines to:

leftid=203.0.113.123
leftsubnet=192.168.213.0/24,10.180.217.0/24

right=162.159.1.123
 rightid=162.159.1.123
rightsubnet=0.0.0.0/0

 

Note that the above uses two left subnets, because there are two LANs on Firewalla that we want to access the Cloudflare server. If we only want one subnet (192.168.213.0/24) to access the server, we could do:

leftsubnet=192.168.213.0/24

 

For Secrets, the Cloudflare Magic WAN should generate a pre-shared key. Copy and paste the generated value into the text field on MSP UI. For example:

: PSK "<Pre-Shared Key value>"

 

After entering your Configuration and Secrets files (no Additional files needed), click Save in the top right corner to finish creating your 3rd-party VPN Connection.

On your new VPN connection, click Apply To to select the devices you'd like to apply the VPN and toggle on the VPN switch to establish the new connection. Once established, devices under your Firewalla Gold box can access devices behind the Cloudflare server and access the Internet. 

 

STEP 3: Verify Connection

When the connection is successfully established. You can see the status showing connected in the VPN client list on MSP.

When it is successfully connected and applied to a specific device, you can test if the device can access the internet or a subnet of Cloudflare.

Additionally, you can try accessing the internet using the VPN-connected devices, and then on Firewalla MSP UI, go to Flows page, locate the corresponding flows generated, and check the outbound Interface. If the flow is going through VPN, then the outbound interface will be your Cloudflare IPsec VPN. 

  • If you have any access issues, even though the VPN is enabled, check if there are any rules on the Cloudflare side to prevent direct internet access.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.